CVE-2026-29200: A 9.9 CVSS Comet Backup Flaw Granting Total Cross-Tenant Takeover
Ddos 
Comet Backup, a prominent provider of secure backup software for IT professionals and global businesses, has issued an urgent security alert following the discovery of a critical vulnerability in its server software. The flaw, tracked as CVE-2026-29200, carries a nearly maximum CVSS score of 9.9, signaling a critical risk to data privacy and multi-tenant security.
The software, which allows users to control their own backup environments across major cloud providers like AWS, Azure, and Google Cloud, was found to have a fundamental logic error in its API.
The vulnerability is classified as an Insecure Direct Object Reference (IDOR). This specific type of flaw occurs when an application provides direct access to objects based on user-supplied input, allowing an attacker to bypass authorization and access data belonging to others.
In the case of Comet Backup, the impact is particularly severe for service providers.
A tenant administrator could exploit a vulnerable API call to impersonate end-user accounts. This impersonation was not limited to the administrator’s own organization; they could seize control of any end-user account belonging to other tenants hosted on the same server. A complete cross-tenant account takeover is possible.
This vulnerability was discovered and responsibly reported by the research team at A Security.
The flaw affectsnearly six years of software releases. Specifically, the vulnerability exists in:
- All Comet Backup versions from 20.11.0 to 26.1.1.
- Comet Backup version 26.2.1.
Comet Backup has moved quickly to neutralize the threat. While the company has already patched its Comet Hosted servers—requiring no action from those administrators—users of self-hosted instances are at extreme risk until they manually intervene.
Update your Comet Backup installation immediately to version 26.1.2, 26.2.2, or higher. Patched installers can be found at the official Comet Backup downloads page.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
